SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Our office subscribes to the Cybersecurity and Infrastructure Security Agency's "Web Application Scanning" report. They have been dinging us for a while with vulnerability issues in openssl 1.1.1w and are advising upgrading to 1.1.1x which fixes the problem. 1.1.1w is the latest available for Slackware 15.0.
Does anyone have any idea when 1.1.1x will be part of the standard release?
I see that Slackware-current has openssl 1.1.1x. Can I just download and install that package or will that mess up all kinds of things?
Also, when 1.1.1w was released, the openssl team declared 1.1.1 EOL. I doubt there are anymore vulnerability fixes, as they will charge money for it.
Are they trying to get you to upgrade to version 3.x, and their message is just wrong?
They did say that versions 3.0.14, 3.1.6 and 3.2.2 don't have the vulnerability. Does anyone know if there will be a Linux/Slackware release of these versions any time soon?
Quote:
Originally Posted by Petri Kaukasoina
There is already 1.1.1y for paying customers.
And to whom does one pay? If it's the same $50K as mentioned by ponce, I can't imagine why anyone would pay that, especially for low severity problems.
CVE-2023-5678 Excessive time spent in DH check / generation with large Q parameter value [LOW severity] 06 November 2023
CVE-2024-0727 PKCS12 Decoding crashes [Low severity] 25 January 2024
CVE-2024-2511 Unbounded memory growth with session handling in TLSv1.3 [Low severity] 08 April 2024
So, these issues are all low severity. The worst consequence it seems is "excessive time" (CVE-2023-5678) or the system crashes (CVE-2024-0727, CVE-2024-2511). Nothing about infiltration or data exfiltration.
I don't see why this is a big deal.
As Linux is supposed to be a free distro, I would assume they'll be coming out with a new version of openssl one of these day, yes?
Reading the disclosures on the 3 vulnerability fixes at the link shared, I think most people would not be affected by those bugs. I think with some research, you can determine if you can keep using 1.1.1w and report back to your compliance people that you are not using a vulnerable configuration.
Quote:
Originally Posted by mfoley
They did say that versions 3.0.14, 3.1.6 and 3.2.2 don't have the vulnerability. Does anyone know if there will be a Linux/Slackware release of these versions any time soon?
And to whom does one pay? If it's the same $50K as mentioned by ponce, I can't imagine why anyone would pay that, especially for low severity problems.
Slackware current has openssl 3.3.0. There's your other option if you want to upgrade. Or you might be able to backport it and recompile the applications you are using.
And to whom does one pay? If it's the same $50K as mentioned by ponce, I can't imagine why anyone would pay that, especially for low severity problems.
There are plenty of vendors who use OpenSSL in their appliances who cannot easily upgrade them to a newer version of OpenSSL, as it requires lots of work. Such vendors take out the extended support contract to bridge the gap until those appliances can either be upgraded or they're EOL. Customers often pay vendors (RH, MS and I'm sure Canonical (Ubuntu) too) eye watering sums for the vendor to continue supporting an EOL OS or product because they cannot upgrade easily.
mfoley
They did say that versions 3.0.14, 3.1.6 and 3.2.2 don't have the vulnerability. Does anyone know if there will be a Linux/Slackware release of these versions any time soon?
Well the Slackware team are incredible but the latest version of OpenSSL 3 is 3.0.13 But a little backport would be welcome (eudev-3.2.14 is a nightmare, without offense for eudev devs).
Last edited by bigbadaboum; 05-23-2024 at 03:44 PM.
from [01m[Kntp_crypto.c:16[m[K:
[01m[K/usr/include/openssl/rsa.h:282:5:[m[K [01;36m[Knote*: [m[Kexpected «*[01m[KRSA * {alias struct rsa_st *}[m[K*» but argument is of type «*[01m[Kconst struct rsa_st *[m[K*»
int [01;36m[KRSA_public_encrypt[m[K(int flen, const unsigned char *from, unsigned char *to,
[01;36m[K^~~~~~~~~~~~~~~~~~[m[K
[01m[Kntp_crypto.c:[m[K Dans la fonction «*[01m[Kcrypto_alice[m[K*»:
[01m[Kntp_crypto.c:2187:2:[m[K [01;35m[Kattention : [m[K«*[01m[KEVP_PKEY_get0_DSA[m[K*» is deprecated: Since OpenSSL 3.0 [[01;35m[K-Wdeprecated-declarations[m[K]
[01;35m[Kif[m[K ((dsa = EVP_PKEY_get0_DSA(peer->ident_pkey->pkey)) == NULL) {
[01;35m[K^~[m[K
ntp-4.2.8p18
"ntp-4.2.8p18 fixes somewhere between 2 and 3 dozen bugs."
SCaLE 21x Slides and Speaker Notes.pdf
Quote:
checking for openssl... /usr/bin/openssl
checking pkg-config for openssl... yes, version 3.0.13
configure: Searching for openssl/evp.h without -I
checking for openssl/evp.h... yes
checking If cc supports -Werror... yes
checking if we will link to ssl library... yes
checking for openssl/cmac.h... yes
I've snagged stuff from Slackware-current before and built on the "official" release. Sometimes it's worked, sometimes not. openssl seems like it would have it's tentacles in lots of other packages and I'm doubtful the attempt would be successful.
Since it's a decade-ish between new Slackware releases and openssl 1.1.1 is already at EOL, maybe the Slackware folks will come out with an openssl upgrade for 15.0 sooner rather than later.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.